SecuriTeam - tHTTPd and Mini_HTTPd Permission Bypass Vulnerability

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

SecuriTeam
Beyond Security

SecuriTeam Home
Ask the Team
Mailing Lists
Advertising Info
Blogs

Black Box Testing
Vulnerability Assessment
Vulnerability Scanner

	SecuriTeam in Your Inbox

	E-mail this article to a friend

New vulnerability?
New tool?
Tell us

tHTTPd and Mini_HTTPd are small HTTP server implementations. Both these products contain a security vulnerability in the way they protect non-world readable files and password protected files. The vulnerability would allow access to restricted files.

Credit:
The information has been provided by zeno.

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

The problem lies in the way the HTTP daemon handles file requests. Even if a file is marked 403 (not world readable), or is in a directory that is password protected, it is still possible to remotely view these files. The tHTTPd web server is only affected when the chroot option is used, and all versions of Mini_HTTPd web server appear to be affected.

If htaccess is used to password protect a directory, it is possible an attacker can access data behind the password-protected area by knowing the name of the file he wants to view without a valid login. This also works on htpasswd files in general, which are protected by the web server itself so that it cannot be readable by the web. A request like the one below will gladly feed the contents of a .htpasswd file.

http://host/protected-dir/.htpasswd/ (Notice the / on the end)

Fixes:
The vendor has been contacted about this issue. Check the vendor webpage for newer web server versions along with patches at the links below.

Patch information:
http://www.acme.com/software/thttpd/
http://www.acme.com/software/mini_httpd/

Patch:
******************************************************************************
                                  THTTPD VENDOR PATCH BELOW THIS LINE
******************************************************************************

<--- Insert patch here --->

*** libhttpd.c.old Mon Nov 12 17:44:18 2001
--- libhttpd.c Mon Nov 12 16:28:42 2001
***************
*** 1422,1429 ****
         struct stat sb;
         if ( stat( path, &sb ) != -1 )
             {
! httpd_realloc_str( &checked, &maxchecked, strlen( path ) );
             (void) strcpy( checked, path );
             httpd_realloc_str( &rest, &maxrest, 0 );
             rest[0] = '\0';
             *restP = rest;
--- 1447,1461 ----
         struct stat sb;
         if ( stat( path, &sb ) != -1 )
             {
! checkedlen = strlen( path );
! httpd_realloc_str( &checked, &maxchecked, checkedlen );
             (void) strcpy( checked, path );
+ /* Trim trailing slashes. */
+ while ( checked[checkedlen - 1] == '/' )
+ {
+ checked[checkedlen - 1] = '\0';
+ --checkedlen;
+ }
             httpd_realloc_str( &rest, &maxrest, 0 );
             rest[0] = '\0';
             *restP = rest;

<--- End of patch --->

	PHP dba_replace() Arbitrary File Destruction
	VLC Media Player RealText Processing Stack Overflow Vulnerability
	LibSPF2 DNS TXT Record Parsing Bug
	GNU Enscript "setfilename" Special Escape Buffer Overflow
	File-Find-Object Format String Vulnerability
	Veritas Storage Foundation Arbitrary File Read Vulnerability
	Sun Solstice AdminSuite sadmind adm_build_path() Buffer Overflow Vulnerability
	Apache Tomcat Information Disclosure (RemoteFilterValve)
	Apple CUPS HP-GL/2 filter Code Execution Vulnerability
	WordPress MU wpmu-Blogs.php Crose Site Scrpting Vulnerability
	strongSwan IKEv2 Denial of Service Vulnerability
	Cross-Site Scripting Filter Evasion in Various Frameworks / Applications
	MySQL Charset Truncation Vulnerability
	Wordpress user_login Column SQL Truncation Vulnerability
	Joomla Weak Random Password Reset Token Vulnerability